If this is still not clear to you, please, post your pf.conf file and tell us exactly what services you want redirected, and which you want excluded from redirection, so that we can provide specific guidance for your environment.

All we have from you is your single no rdr rule from your pre-4.7 system, and that is insufficient information to help you further, if these instructions are still unclear to you.

Already tried anyway rdr do with version 5.4 of the PF but not working.
I read the documentation, I tried several ways but could not.
I wish someone analyze my pf.conf below to know where I am going wrong.

The last rule that matches will be in effect. Your two block all rules:

Code:

# Deny Policy
block in log all
block out log all

are after 4 of your pass rules: your binat pass, your nat pass, and your 2 rdr pass rules. These rules will never be used.

These rules work, but they can be replaced with set skip on lo0:

Code:

# Traffic Loopback
pass in quick on lo0 all
pass out quick on lo0 all

I cannot determine from your configuration file what traffic you do not want redirected. For lack of information, let us pretend, for a moment, that your original request at the top of this thread was in reference to this particular rule:

Code:

pass in on $ext_if proto tcp from any to $srv03_ext port 80 rdr-to $srv04_int port 80

Now that rule will never be applied, per your error above. But, if you move your default deny above it, it can then redirect traffic from any IP address. Let us also pretend that you have a table called <adm> that you do not want to redirect to $srv04_int port 80. Add a second rule, after this first rule:

Code:

pass in on $ext_if proto tcp from <adm> to $srv03_ext port 80

Is this clear? The first rule is the general case. The second rule is the narrower case, and the last matching rule applies. For addresses in the <adm> table, rdr-to will not apply.